FirmAdapt is an AI-powered business diagnostics platform that audits companies to expose operational inefficiencies and broken processes. We then deploy custom AI agents, robotic process automation, and engineered solutions to fix the problems we find. Our diagnostic tools include company audits, website audits, competitive intelligence, and faith-based compliance screening.

Does FirmAdapt have a free API?

Yes, FirmAdapt offers free open API endpoints that require no authentication. AI agents and developers can make up to 10 requests per week without signing up. The API supports company profile lookups, faith-based compliance screening, and stock searches across 12 global markets.

What is faith-based stock screening?

Faith-based stock screening analyzes a company's financial ratios and business activities to determine compliance with religious investment guidelines. FirmAdapt supports 9 frameworks including Shariah (AAOIFI, S&P), Christian (BRI), Catholic (USCCB), Jewish (Halakhic), LDS/Mormon, ESG Religious, and Evangelical standards.

Can AI agents use FirmAdapt?

Yes, FirmAdapt is designed for native AI agent integration. It provides an MCP (Model Context Protocol) server for Claude Desktop, Cursor, and other AI tools. AI agents can access company profiles, run faith-based compliance screens, and search stocks across 12 global markets using free open endpoints with no API key required.

What markets does FirmAdapt support?

FirmAdapt supports 12 global markets: US (NYSE/NASDAQ), UK (London Stock Exchange), Germany (XETRA), France (Euronext Paris), Japan (Tokyo Stock Exchange), India (NSE/BSE), Saudi Arabia (Tadawul), UAE (Dubai/Abu Dhabi), Malaysia (Bursa), Indonesia (IDX), Canada (TSX), and Australia (ASX).

Back to Blog

AI complianceregulatoryeducationFERPABIPA

Online Proctoring, Biometrics, and the State Privacy Law Stack

By Basel IsmailMay 29, 2026

Online Proctoring, Biometrics, and the State Privacy Law Stack

If you work in edtech, higher education administration, or any company that sells assessment tools to schools, you should be paying close attention to how state biometric privacy laws interact with AI proctoring software. The exposure is real, the litigation is active, and the compliance picture is more fragmented than most people realize.

Let me walk through the three state laws that matter most right now, and then talk about why AI proctoring tools sit squarely in the crosshairs.

Illinois BIPA: The One With the Private Right of Action

The Illinois Biometric Information Privacy Act (740 ILCS 14) remains the most consequential biometric privacy law in the country, primarily because it gives individuals a private right of action. You do not need to show actual harm. The statutory damages alone create massive exposure: $1,000 per negligent violation and $5,000 per intentional or reckless violation. These stack per person, per scan.

The Illinois Supreme Court confirmed this stacking in Cothron v. White Castle System, Inc. (2023), holding that a separate claim accrues each time a biometric identifier is scanned or transmitted without consent. White Castle's potential liability was estimated at over $17 billion. They eventually settled for $9.4 million, but the ruling itself sent shockwaves through every industry that touches biometric data at scale.

For proctoring companies, the math is brutal. Consider a platform that performs facial recognition checks at the start of an exam and then runs continuous gaze tracking and face matching throughout. Each scan is potentially a separate violation. Multiply that by thousands of students taking multiple exams per semester, and the numbers escalate fast.

BIPA requires three things before collecting biometric identifiers or biometric information: (1) written notice of the specific purpose and length of storage, (2) a written release from the individual, and (3) a publicly available retention and destruction policy. Most proctoring vendors have updated their consent flows since the initial wave of BIPA litigation, but "updated" and "compliant" are different things. Burying consent language in a terms of service clickthrough may not satisfy BIPA's written release requirement, particularly for minors or students who feel compelled to consent in order to take a required exam.

Texas CUBI: No Private Right of Action, But Don't Get Comfortable

The Texas Capture or Use of Biometric Identifier Act (Tex. Bus. & Com. Code Ann. 503.001) covers the capture, use, and storage of biometric identifiers, including retina scans, voiceprints, and records of hand or face geometry. It prohibits capture for a commercial purpose unless the individual is informed and consents. It also requires destruction within a reasonable time, and no later than the first anniversary of the date the purpose for collecting the identifier expires.

Texas does not provide a private right of action. Enforcement authority sits with the state attorney general, who can seek civil penalties of up to $25,000 per violation. For years, this made CUBI feel like a lower priority risk. That changed in February 2024 when Texas AG Ken Paxton filed suit against Meta, alleging that the company's now-discontinued Tag Suggestions feature violated CUBI by capturing facial geometry data from millions of Texans without informed consent. The state is seeking hundreds of billions of dollars in penalties.

The Meta suit signals that the Texas AG's office is willing to pursue biometric claims aggressively, and edtech companies operating at scale in Texas should take note. If your proctoring tool captures face geometry from students at UT Austin, Texas A&M, and the dozens of other large institutions in the state, you are within CUBI's scope.

Washington State: The Narrower Cousin

Washington's biometric privacy law (RCW 19.375) is more limited in scope but still relevant. It applies to biometric identifiers enrolled in a database for a commercial purpose. The key distinction is that "enrolled" implies some deliberate act of storing a biometric template for future comparison, not just a one-time capture. Washington also requires notice and consent before enrollment, and it prohibits selling or disclosing biometric identifiers without consent.

There is no private right of action. Enforcement falls under the Washington Consumer Protection Act, which means the AG can bring actions and courts can award up to $7,500 per violation. The narrower definition of covered activity means that some proctoring use cases might fall outside Washington's law if the vendor can argue it is performing real-time analysis without enrolling templates in a persistent database. But that argument has limits, especially if the system stores facial templates to compare against a student's ID photo or to flag anomalies across multiple exam sessions.

Where AI Proctoring Tools Create Specific Risk

Modern AI proctoring tools do several things that implicate biometric laws simultaneously. They typically perform facial recognition to verify identity against a photo ID. They run continuous face detection to confirm the test-taker remains present. Many use gaze tracking, head movement analysis, and sometimes eye tracking to flag suspicious behavior. Some capture audio and run voice analysis.

Each of these functions can involve the capture of a biometric identifier as defined under one or more state laws. Face geometry is explicitly covered by all three statutes. Voiceprints are covered by BIPA and CUBI. Gaze and eye tracking data may qualify as biometric information under BIPA's broader definitions, though this is still being litigated.

The class action landscape is already developing. In Ogletree v. Respondus, Inc., students challenged the Respondus Monitor proctoring tool under BIPA, alleging that the software captured facial geometry without proper consent. Cases have also been filed against Proctorio and ExamSoft. These lawsuits are testing whether student consent obtained through university-mandated exam requirements constitutes the kind of informed, voluntary written release that BIPA demands.

There is also a FERPA overlay worth mentioning. If biometric data collected by a proctoring tool becomes part of a student's education record, FERPA's consent and disclosure rules apply in addition to state biometric laws. The interaction between these frameworks is not well-settled, and institutions that assume FERPA preempts state biometric law are taking a risk that courts have not endorsed.

The Compliance Gaps That Keep Showing Up

Consent architecture: Many proctoring tools present consent as a binary clickthrough at the start of an exam session. Under BIPA, the written release must be informed and specific. Generic language about "using your camera" likely falls short of disclosing that facial geometry is being captured, stored, and compared against a template.
Retention and destruction: BIPA requires a publicly available policy specifying retention schedules and destruction timelines. CUBI requires destruction within a reasonable time. Vendors that retain biometric templates indefinitely, or that lack clear deletion workflows, are exposed under both statutes.
Subprocessor risk: If the proctoring vendor uses a third-party facial recognition API, biometric data may be transmitted to a subprocessor. Under BIPA, this transmission without consent is itself a violation. Under CUBI, disclosure to third parties requires consent.
State-by-state variation: A proctoring platform serving students across all 50 states needs to account for the fact that Illinois, Texas, and Washington have different definitions, different consent requirements, and different enforcement mechanisms. A single consent flow is unlikely to satisfy all three.

How FirmAdapt Addresses This

FirmAdapt's platform is built to handle exactly this kind of multi-jurisdictional regulatory fragmentation. For education companies and institutions deploying AI proctoring tools, FirmAdapt maps biometric data flows against the specific requirements of BIPA, CUBI, and Washington's biometric law, identifying gaps in consent architecture, retention policies, and subprocessor agreements. The platform continuously monitors for new enforcement actions, settlements, and legislative changes across all active state biometric privacy regimes.

Because FirmAdapt's AI architecture is compliance-first, it treats regulatory requirements as constraints built into the system rather than as afterthoughts layered on top. For organizations navigating the intersection of biometric privacy, FERPA, and state consumer protection laws, this means a single platform that can surface conflicts between frameworks and recommend specific operational changes before exposure becomes litigation.

Ready to uncover operational inefficiencies and learn how to fix them with AI?

Try FirmAdapt free with 10 analysis credits. No credit card required.

Get Started Free